False sense of cyber security

Small to medium-size businesses may not understand they face many of the same data security challenges as major corporations

Story by Rick Berg

For every major data security breach we hear about, there are dozens of attacks on smaller businesses that go unreported. Symantec, a leading provider of antivirus and other data security services, in its 2016 Internet Security Threat Report, estimated that small businesses were the targets of 43 percent of the phishing attacks launched last year – up 9 percent from 2015 and up dramatically from just 18 percent in 2011.

While large businesses remain the primary targets for cyber criminals, smaller businesses have become more attractive, in part because they have fewer security resources and, even worse, many appear to be cutting their already slim technology security budgets.

In that sense, small business has become the “low-hanging fruit” for data thieves. The international accounting firm PricewaterhouseCoopers reported last year that smaller firms – those with annual revenue of less than $100 million, had cut their data security spending by 20 percent in 2014, while larger firms continue to increase their security spending.

Cyber security vendor Kaspersky Lab, which monitors cyber threats internationally, noted in a recent report that “larger enterprises have become better defended so cybercriminals are moving down the business food chain.”

“We hear about the big guys when their data is breached, but we don’t hear about the little guys. It’s not newsworthy,” said Joe Cicero, a network specialist instructor at Northeast Wisconsin Technical College in Green Bay, who focuses on cyber security and computer forensics.

In fact, Cicero said, one of the most notorious recent data breaches occurred in 2013 at Target as a result of a breach at a smaller company – one of Target’s suppliers. While Target’s data security protocols were found to be at fault, the hackers’ job was made a lot easier by their ability to use the third-party vendor’s system as a back door to Target.

Byron Franz, a special agent with the Milwaukee office of the Federal Bureau of Investigation focusing on cyber security, said while most of the media attention is paid to large breaches like the one at Target, cyber-attacks on smaller businesses strike at “the lifeline of the economy – and they are attacked as much as the big guys.”

Andy Hull, information security officer at Heartland Technology Group in Little Chute, noted the vulnerability of small to medium-size businesses has been highlighted by “a huge uptick in ransomware attacks at these businesses over the past six months.”

Data held hostage

Ransomware attacks are just the latest cyber threat to emerge, and these are largely targeting smaller businesses not as securely defended as large companies and who don’t routinely and securely back up their data. The FBI estimates ransomware attacks cost U.S. businesses upwards of $150 million per year. That’s an estimate only, because the FBI suspects that many companies simply pay the ransom and don’t want the embarrassment of having their data breach publicly exposed.

A ransomware attack works like this: Often triggered by a spear-phishing email, an employee opens an infected file, clicks on an infected pop-up ad or visits an infected website. That action unleashes malware in your system, which then encrypts your data so it’s inaccessible to you. In order to regain access to your data, you’re instructed to pay a ransom – usually in the form of a Bitcoin payment, which is untraceable. Paying the ransom, of course, is no guarantee that you’ll get access to your data back, so you may be hit for further payments.

While antivirus software, firewalls and pop-up blockers can help mitigate the chances of a ransomware attack, the safest solution is to remotely back up your data frequently, so it is inaccessible to the attackers. If you’ve done that, you can simply restore your data without paying ransom – after having the ransomware removed from your system.

Insuring your data & integrity

The rise in ransomware and other cyber-attacks has been accompanied by the increasing availability of cyber security insurance, according to Mike Fitzgibbon, a commercial insurance specialist with Valley Insurance Associates in Appleton.

“It’s been slow to gain acceptance,” Fitzgibbon said, “but people are at least aware that the insurance is out there and there’s more awareness of the cyber security threat. It’s similar to the HR insurance programs that came out a few years ago. As companies became more aware of the potential for personnel lawsuits, those HR policies were more widely adopted. There’s certainly more dialog going on today about cyber security policies.”

Policies can include first-party coverage, which would reimburse the business for direct costs associated with a data security breach, and third-party coverage, which would indemnify the business against claims being brought by a customer or other outside entity bringing a liability claim against the business.

The Ponemon lnstitute’s 2015 Cost of Data Breach Study concluded that data breaches on average leave companies on the hook for $3.79 million in damages per incident.

A cyber security insurance policy can even provide reimbursement for ransom paid to recover data, though the insurance company would not pay the money directly to the cyber criminals. The FBI and insurance companies generally recommend against paying ransom for data, since it only encourages further attacks and there is no guarantee that the data will be returned.

Train, but verify

There are many ways to reduce your exposure to cyber-attacks, but the most important and least expensive is putting cyber security policies in place and then educating your employees on those policies, according to FBI Agent Franz.

Among the key policies: Employees should never open suspicious attachments or links in emails or online ads; should have clear directives about what programs they can have installed on their workstations; should follow good password practices; and should back up their work frequently.

Providing education to employees is critical, but equally important is verifying that the training is being followed. Franz recommends using internal or external “white hat hackers” to test your employees’ follow through of such policies.

“One of the best ways we’ve found to see how your training is working is to have your own IT people or someone outside the organization send phishing emails to your employees to see if they fall for it,” Franz said.

The idea is not to punish those who “fail” the test, Franz said, but to identify where retraining and reinforcement is needed.

People, Process, Technology

While his company’s primary role is providing technology solutions, Heartland’s Hull said technology can’t help very much if a business does not also put cyber-security policies and practices in place and then make sure employees understand their roles in safeguarding data.

The Identity Theft Resource Center reported 781 data breaches were recorded in the U.S. in 2015, and nearly half of those were the result of employee error, improper disposal of documents, lost equipment and other non-technological failures.

“It all comes down to a layered approach,” Hull said. “We talk about people, process and technology working together.”

Part of Hull’s role at Heartland is to provide security-focused assessments at businesses, looking at both technology and the processes in place.

“One of the things we often find, for example, is that businesses may have a backup system in place, but they’re not validating that the backup is working the way it’s supposed to,” Hull said. “An assessment can help identify that. You don’t know what you don’t know.”

Outside assessment services like Heartland’s are beginning to emerge, in part, because smaller businesses don’t typically have the internal IT resources available.

If a business does choose to purchase cyber-liability insurance, they can be assured the insurance company is going to provide significant expert resources to minimize the chances that the policy will ever have to pay out.

Dick Sauberlich, IT administrator at Valley Insurance Associates, said that’s a primary role he fills at VIA and a valuable service for clients.

“People often have a very narrow view of what cyber security is,” said Sauberlich. “One of the things we want to do is help broaden their perspective to understand that anyone connected to the Internet has some exposure and to help them identify ways to reduce that exposure.”

Cicero agrees that outside expertise is critical for small to medium-size businesses, but he also said it’s important for business owners to educate themselves and stay educated about data security threats.

Data security vendors like McAfee, Symantec, Kaspersky Lab and Trend Micro all produce updated reports on security threats, and businesses should pay close attention to those reports to understand where the next attack might come from, Cicero said.

“Find out what the highest attack vector is today and then secure that vector,” Cicero said.

Franz recommends that businesses take advantage of free cyber security resources like the National Institute of Standards and Technology’s Cybersecurity Framework (www.nist.gov/cyberframework).

While a business might not be able to financially implement all the recommendations available, “the important thing is to get the best cyber security you can afford and keep educating yourself and your employees about best practices,” Franz said.